{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: let
  httpPort = 8000;
  agentPort = 9000;
  domain = "ci.cyplo.dev";
  path = "/var/lib/woodpecker";
  serverContainerName = "woodpecker-server";
  uid = 2061;
  gid = 3061;
  systemUserName = "woodpecker";
  systemGroupName = "woodpecker";
in {
  imports = [../nginx.nix];

  users = {
    users."${systemUserName}" = {
      inherit uid;
      isSystemUser = true;
      isNormalUser = false;
      group = systemGroupName;
      extraGroups = ["podman"];
    };
    groups."${systemGroupName}" = {
      inherit gid;
      members = ["${systemUserName}"];
    };
  };

  services.nginx = {
    virtualHosts = {
      "${domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:" + toString httpPort;
        };
      };
    };
  };

  sops.secrets."gitea-env" = {
    sopsFile = ./gitea.sops;
    format = "binary";
  };

  virtualisation.podman = {
    enable = true;
    defaultNetwork.dnsname.enable = true;
  };
  networking.firewall.allowedTCPPorts = [agentPort];
  virtualisation.oci-containers.containers = {
    "${serverContainerName}" = {
      image = "woodpeckerci/woodpecker-server@sha256:acb188797f93b1b9228415b4418b8b8d2153df2e21f8c0c561a893243a542439";
      volumes = ["woodpecker-server-data:${path}"];
      environmentFiles = ["${config.sops.secrets.gitea-env.path}"];
      environment = {
        WOODPECKER_OPEN = "false";
        WOODPECKER_ADMIN = "cyplo";
        WOODPECKER_HOST = "https://${domain}";
        WOODPECKER_GITEA = "true";
        WOODPECKER_GITEA_URL = "https://git.cyplo.dev";
      };
      ports = [
        "${toString httpPort}:${toString httpPort}"
        "${toString agentPort}:${toString agentPort}"
      ];
    };
  };
}